Manualshelf

Secure Boot Customization Guide - Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP ProBook 650 G3 Notebook PC
11121314151617181920
Technical whitepaper
© Copyright 2017 HP Development Company, L.P.
If successful, the command should produce output similar to the following:
Figure 16 Successful output of formatted KEK
It is the SignableFilePath file, in this case, KEK_SigList_Serialization_for_KEK.bin, which is submitted to your HSM solution
for signing. This file should be signed using the private key for your new PK. A proper signing command for
KEK_SigList_Serialization_for_KEK.bin, if using a PFX file
3
, is as follows. In this case, signtool must be in your path:
Figure 17 Command line switches to sign KEK with PK private key
Replace <password> with the actual private key password for your PFX file. The result of the above command is a PK-
signed KEK serialized into a file called KEK_SigList_Serialization_for_KEK.bin.p7. Use the signed file that is provided by your
HSM provider.
Once you have the PK-signed KEK, it is ready for import to your platform. Importing is done with the Set-SecureBootUEFI
command inside Windows PowerShell. Again, there are two steps possible here. The first step simply creates a valid time-
authenticated variable package which could be imported using a simple UEFI SetVariable() command. This package is then
saved to a file called KEK_NewKey_Import_KEK.bin. This step is worth running even if you plan to use Windows tools to
import the new PK onto your platform. The second step uses Windows tools to write the new PK directly to your platform
BIOS storage repository.
2.6.1 KEK: Create a valid SetVariable() package
Set-SecureBootUEFI Command Line Parameter
Meaning
-Name KEK Indicates that you are working with the Platform Key (PK)
-Time 2016-02-01T13:30:00Z Specifies the current date and time, which must be specified.
-ContentFilePath .\KEK_SigList.bin Specifies the name of the file which contains the unsigned, formatted KEK.
-SignedFilePath
.\KEK_SigList_Serialization_for_KEK.bin.p7
Specifies the name of the file which contains the signed, formatted KEK.
-OutputFilePath .\KEK_NewKey_Import_KEK.bin Specifies the file which will contain the output of the command upon successful
completion.
Table 5 Command line switches to create SetVariable() package for KEK
3
This would be the approach if you used self-signing certificates, but it is strongly recommended that you perform the same action in the
context of your own HSM provider
signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData
/a /f .\PK.PFX /p <password> KEK_SigList_Serialization_for_KEK.bin